cancel
Showing results for 
Search instead for 
Did you mean: 
pierce
Level 13
Report Inappropriate Content
Message 1 of 3

Whats your mitigation plan for CVE-2013-3893 Microsoft Security Advisory (2887505)

Jump to solution

Hi All,

What are you plan's for any mitigation for the recently announced CVE-2013-3893 that affects all IE version (more info: http://technet.microsoft.com/en-us/security/advisory/2887505 )

There is a fixit here: https://support.microsoft.com/kb/2887505 which is just an MSI to download and run to mitigate if you are up to date with patching (needs

2870699 MS13-069: Cumulative security update for Internet Explorer: September 10, 2013 installed to work)

I am hopeful that VSE/HIPS/Webgateway or something mcafee related and already deployed is going to save me from having to do any work.

thanks,

Pierce

1 Solution

Accepted Solutions
Highlighted
Regis
Level 12
Report Inappropriate Content
Message 2 of 3

Re: Whats your mitigation plan for CVE-2013-3893 Microsoft Security Advisory (2887505)

Jump to solution

This issue is now covered in a patch issued by Microsoft, but when I see questions like this, the penetration tester in me bristles.   Nothing McAfee deploys except MAYBE application whitelisting is likely to help relieve a need to apply mitigations to a browser vulnerability for which an exploit has been publicly released.  

VSE and HIPS  only know about varieties of exploits that they know about. They don't know of all possible exploits for a given browser vulnerability, or all the automaticlaly generateable unique variants that a given exploit framework such as Metasploit Canvas or Core Impact can be configured to generate.       Webgateway, as well, will only catch exploits it knows about ... perhaps some site categorization will save you in some cases, but in general... no. 

The right thing to have done on this one is to deploy the fixit, or to have already hardened IE installations with EMET,   to alert users to use an alternative browser (and backstop it with a web gateway policy to block Internet Explorer by user agent... which admittedly would be very hard to handle politically in most environments)  .

Security tools (other than whtelisting) won't save you from a browser or plugin vulnerability.     And even white listing would be iffy here.

At best, they'll save you from very very common variants of a given exploit.   The more people understand how evadeable  anti-virus and IPS are, the better able to raise the security bar we'll all be as security practitioners.

This is not to say that IPS and AV don't have their place--they do, but defense in depth is the goal, not hoping security alarm goes off when an intruder jumps through an already open window.    To extend a bad metaphor,  the mitigation is to close the window.. which in this case was do-able via the Fixit or having Microsoft EMET deployed.

2 Replies
Highlighted
Regis
Level 12
Report Inappropriate Content
Message 2 of 3

Re: Whats your mitigation plan for CVE-2013-3893 Microsoft Security Advisory (2887505)

Jump to solution

This issue is now covered in a patch issued by Microsoft, but when I see questions like this, the penetration tester in me bristles.   Nothing McAfee deploys except MAYBE application whitelisting is likely to help relieve a need to apply mitigations to a browser vulnerability for which an exploit has been publicly released.  

VSE and HIPS  only know about varieties of exploits that they know about. They don't know of all possible exploits for a given browser vulnerability, or all the automaticlaly generateable unique variants that a given exploit framework such as Metasploit Canvas or Core Impact can be configured to generate.       Webgateway, as well, will only catch exploits it knows about ... perhaps some site categorization will save you in some cases, but in general... no. 

The right thing to have done on this one is to deploy the fixit, or to have already hardened IE installations with EMET,   to alert users to use an alternative browser (and backstop it with a web gateway policy to block Internet Explorer by user agent... which admittedly would be very hard to handle politically in most environments)  .

Security tools (other than whtelisting) won't save you from a browser or plugin vulnerability.     And even white listing would be iffy here.

At best, they'll save you from very very common variants of a given exploit.   The more people understand how evadeable  anti-virus and IPS are, the better able to raise the security bar we'll all be as security practitioners.

This is not to say that IPS and AV don't have their place--they do, but defense in depth is the goal, not hoping security alarm goes off when an intruder jumps through an already open window.    To extend a bad metaphor,  the mitigation is to close the window.. which in this case was do-able via the Fixit or having Microsoft EMET deployed.

pierce
Level 13
Report Inappropriate Content
Message 3 of 3

Re: Whats your mitigation plan for CVE-2013-3893 Microsoft Security Advisory (2887505)

Jump to solution

Hi Regis,

thanks for the detailed response and adding more information around what protection the VSE/HIPs/Web gateway provide.

We explored the fixit in the end but we did not have enough coverage of the needed security patch! In the end we decided to focus on the patching to get up to date and then catch the full fix when released (we also didnt have any experience with the fixit's).

I suppose my question was more around priority, if i have ten things to do, it is worth messing around with fixit's when we have other mitigations in place and other things to focus on.

thanks again 🙂

Pierce

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator